Unannounced audits consistently catch organisations on the same core failures: outdated documentation, undefined ownership of governance tasks, and a gradual erosion of controls that nobody noticed because nobody was actively watching. These gaps are not unique to any one sector or size of organisation. They tend to emerge wherever governance is treated as a periodic project rather than a continuous, living system. The sections below unpack the most common findings, why they keep recurring, and what continuous governance looks like in practice.
Why do unannounced audits reveal more than scheduled ones?
Unannounced audits reveal more because organisations cannot prepare a curated version of reality. When an audit is scheduled, teams update records, brief staff, and temporarily tighten processes. When auditors arrive without warning, they see the governance system as it actually operates day to day, not the polished version that gets assembled in the two weeks before a planned visit.
This distinction matters enormously for regulated organisations. A scheduled audit tests whether a team can organise documentation under pressure. An unannounced audit tests whether governance is genuinely embedded in daily operations. The findings from unannounced visits therefore reflect structural weaknesses rather than temporary lapses in preparation.
Regulators increasingly favour unannounced or short-notice visits precisely because they produce a more accurate picture of compliance posture. Frameworks such as NIS2 and DORA place significant weight on operational continuity and real-time accountability, not just the ability to produce a binder of policies on demand. Organisations that rely on pre-audit sprints to get ready are, by definition, not meeting the spirit of these requirements.
What documentation failures do auditors most commonly find?
The most common documentation failures auditors find are policies that have not been reviewed since they were first written, records that exist in theory but cannot be located during the audit, and version histories that show no evidence of ongoing maintenance. In short, documentation exists, but it does not live.
This pattern shows up across security, privacy, and quality domains simultaneously. An information security policy may reference a risk register that was last updated eighteen months ago. A data processing register may list systems that have since been decommissioned or replaced. A quality management procedure may describe a process that the team stopped following after a reorganisation.
Outdated policy documents
Policies written at the time of certification often reflect the organisation as it existed then. As teams grow, tools change, and processes evolve, the policy documents fall behind. Auditors look for evidence that policies are reviewed on a defined schedule and that reviews are documented. When that evidence is absent, the finding is not just administrative. It signals that the governance framework is not actively managed.
Missing or incomplete records
Records such as access reviews, incident logs, training completion registers, and supplier assessments are frequently incomplete. The gap is rarely deliberate. It happens because no one has clear ownership of maintaining those records between audit cycles. When an auditor asks for the last three months of access reviews and the team cannot produce them, the underlying problem is not a filing error. It is a governance structure that does not assign ongoing accountability for these tasks.
What does governance drift look like to an auditor?
Governance drift is the gradual loosening of controls, processes, and accountability structures that occurs when no one is actively maintaining the governance system. To an auditor, it looks like a coherent framework on paper that no longer reflects how the organisation actually operates. The further the documented system is from operational reality, the greater the drift.
Common indicators of governance drift include controls that are listed as active but have not been tested in over a year, roles assigned in a RACI matrix that no longer match the current organisational structure, and risk assessments that predate significant changes in the organisation’s technology stack or business model. Each of these individually might seem minor. Together, they indicate that the governance framework has become decorative rather than functional.
Drift is particularly dangerous because it tends to accelerate. Once a few controls slip without consequence, the implicit message is that active maintenance is optional. Over time, the gap between documented governance and actual governance widens to the point where a single unannounced audit can produce a dozen findings that all trace back to the same root cause: no one was watching between certification cycles.
Which roles and responsibilities gaps trigger the most findings?
The roles and responsibilities gaps that trigger the most audit findings are unclear ownership of specific controls, missing escalation paths when incidents or exceptions occur, and governance tasks that are informally handled by one person without documented backup or succession. When that person leaves or is unavailable, the control simply stops functioning.
Auditors are trained to ask “who is responsible for this?” and then verify that the named person is aware of their responsibility and can demonstrate they are fulfilling it. When the answer is “it used to be someone who left” or “we share that between a few people,” the finding is almost guaranteed. Shared ownership without defined accountability is, in practice, no ownership at all.
A related gap appears at the management level. Frameworks like ISO 27001 and NIS2 require demonstrable management involvement in governance, not just sign-off on a policy document. When auditors find that senior leadership cannot articulate the organisation’s current risk posture or describe recent governance decisions, it indicates that governance has been delegated entirely to a technical team without meaningful oversight. This is a significant finding because it undermines the entire accountability structure the framework is built on.
How do cross-domain gaps between security, privacy, and quality create audit risk?
Cross-domain gaps create audit risk because most regulatory frameworks now expect security, privacy, and quality to be managed as an integrated system, not as separate silos. When these domains operate independently, the same underlying risk can be assessed differently by three different teams, controls can conflict or duplicate, and incidents that span domains fall into the gaps between them.
A practical example: a new supplier onboarding process might be reviewed by the security team for access controls, but not assessed by the privacy team for data processing implications, and not checked by the quality team against supplier management procedures. Each team believes the process is covered. In reality, no one has looked at the full picture. An auditor reviewing the supplier under GDPR and ISO 27001 simultaneously will find the gap immediately.
The EU AI Act adds another layer to this challenge in 2026. Organisations deploying AI systems now need to demonstrate governance that integrates technical risk management, data protection considerations, and quality assurance processes for model performance. Organisations that have kept these domains separate will find that meeting AI governance requirements requires significant structural work, not just an additional policy document.
Our integrated governance services are designed specifically to address this cross-domain challenge, combining security, privacy, quality, and AI governance into a single, coherent system rather than treating each as a separate workstream.
What can organisations do to stay audit-ready between certification cycles?
Staying audit-ready between certification cycles requires treating governance as an ongoing operational function rather than a project that activates in the lead-up to an audit. The organisations that consistently perform well in unannounced audits are those that have embedded governance into their regular operational rhythm, with defined owners, scheduled maintenance tasks, and active monitoring of controls.
Several practical steps make a measurable difference:
- Assign named owners to every control, not just to domains. Each control should have a person who is accountable for its ongoing operation and who can demonstrate that accountability when asked.
- Schedule documentation reviews as recurring calendar tasks, not as reactions to audits. Policies, risk registers, and records should have defined review frequencies that are actually followed.
- Run internal spot-checks between cycles. Brief, unannounced internal reviews of a small selection of controls give early warning of drift before an external auditor finds it.
- Align governance tasks to the 36-month certification cycle from the start. Knowing when the next external audit is likely to occur allows organisations to distribute maintenance work evenly rather than front-loading it.
- Integrate cross-domain governance reviews. At least quarterly, security, privacy, quality, and AI governance owners should review shared risks and controls together, not separately.
The underlying principle is straightforward: governance that only gets attention before an audit is governance that will always fail an unannounced one. Continuous governance means the system is always in the state you would want an auditor to see, because it is genuinely operating that way every day. If you want to understand how to build that kind of permanent capability in your organisation, get in touch with us and we will be happy to help.
Frequently Asked Questions
How often should we realistically review governance documentation to stay audit-ready?
Review frequency should be tied to the risk level and rate of change associated with each document. High-risk policies such as information security and data protection should be reviewed at least annually, while operational procedures in fast-changing environments may need quarterly reviews. The key is to set these as fixed, recurring calendar commitments with named owners rather than leaving them as ad hoc tasks — and to document the review itself, not just the updated content.
What is the fastest way to identify governance drift in our organisation right now?
Start by pulling your RACI matrix or responsibility register and verifying that every named owner is still in their role and aware of their accountability — this alone often surfaces significant gaps. Next, check the last-reviewed dates on your top ten most critical policies and controls; anything untouched for more than twelve months is a strong indicator of drift. Running a brief internal spot-check across a handful of controls, without advance notice to the teams involved, will quickly show you whether documented processes match operational reality.
We are a small team — how do we maintain continuous governance without dedicated compliance staff?
Continuous governance does not require a dedicated compliance team; it requires clearly assigned ownership distributed across existing roles. Embed governance tasks directly into the job responsibilities of relevant role-holders — for example, the IT lead owns access review records, the HR lead owns training completion registers — and use lightweight scheduling tools to trigger recurring reminders. The goal is to make governance maintenance a normal part of each person's work rhythm rather than a separate workstream that competes for time.
What is the biggest mistake organisations make when preparing for a certification audit?
The most damaging mistake is treating audit preparation as a one-time sprint rather than evidence that governance has been running continuously. When organisations bulk-update documentation and records in the weeks before an audit, they inadvertently create a paper trail that shows everything was done at the same time — which is itself a red flag for auditors. The fix is not to prepare better sprints, but to eliminate the need for them by maintaining governance as an ongoing operational function throughout the year.
How should we handle governance ownership when a key person leaves the organisation?
Every governance role should have a documented backup owner and a handover procedure that is tested before it is needed, not after. When assigning control ownership, require that the primary owner trains a secondary owner and that both names appear in your responsibility register. Building succession into your governance structure from the outset means that a departure triggers a managed handover rather than a silent control failure that only becomes visible during an audit.
How do we practically integrate security, privacy, and quality governance without overhauling everything at once?
The most practical starting point is a shared risk register that all three domains contribute to and review together, rather than maintaining three separate registers that never intersect. From there, identify the top five processes that touch all three domains — supplier onboarding, incident management, and access control are common candidates — and map out where current reviews stop short of the full picture. Incremental integration of this kind builds cross-domain visibility without requiring an immediate structural overhaul, and it produces immediate audit value.
What should we expect from governance requirements under the EU AI Act, and how does it connect to our existing frameworks?
The EU AI Act requires organisations deploying high-risk AI systems to demonstrate integrated governance across technical risk management, data protection, and quality assurance for model performance — areas that map directly onto ISO 27001, GDPR, and ISO 9001 obligations you may already hold. Rather than building a separate AI governance workstream, the most efficient approach is to extend your existing framework to cover AI-specific controls such as model risk assessments, data lineage documentation, and human oversight procedures. Organisations that have already integrated their security, privacy, and quality governance will find this extension significantly more straightforward than those starting from siloed systems.
Related Articles
- Why do companies get fined for reporting data breaches too late?
- What is the difference between a governance framework and a control framework?
- What internal controls are required for ISO 27001 certification?
- How does continuous governance support operational resilience?
- Why does a ransomware attack expose more than just a security gap?